Pink Floyd worm in 'Chinese Facebook'
SonicWALL UTM Research team observed a new cross-site scripting worm in the wild. It is distributed within a Chinese popular social network website renren.com.
Renren, which means "everyone" in Chinese is China's largest online community with more than 22 million active users; it is similar to Twitter or Facebook, as it allows users to share various information, including pictures and videos with each other.
Worm masquerades as a flash music video of Pink Floyd's Wish You Were Here and spreads by exploiting a cross-site scripting hole. It contains a maliciously crafted Flash component loaded with an AllowScriptAccess="always" parameter.
By default, this parameter is set to "sameDomain", which means that a Flash object can only access the webpage if it was retrieved from the same domain. Setting this parameter to "always", the Flash file can directly access any element of the local webpage, including cookies.
There is a string "I'm not a malicious worm." in the worm and, in fact, it doesn't do anything other than spread.
There are also comments in the code that are lyrics from a German's musician's Maximilian Hecker "Rose" song.
This malware is also known as W32/PinkRen-A [Sophos], TrojanDownloader:SWF/Nerner.A [Microsoft], JS.Frienren [Symantec].
SonicWALL Gateway AntiVirus provides protection against this malware via Agent.EKC#Js (Trojan) and Agent.BE#Swf (Trojan) signatures.